The email includes the potential
victim’s password as evidence of a hack, but there is more than meets the eye
By Luis Lubeck
Earlier in April, a new
sextortion scam campaign was detected making the rounds in countries on both
sides of the Atlantic. The spam emails that were detected by ESET’s research
laboratory have been trying to dupe unwitting victims by referring to old
passwords that have been part of old data breaches.
The campaign is not
altogether new, since it repurposes old scams. The first time that scammers
made waves with these tactics was in 2018 with a campaign that also
included the victim’s password in the subject line. The email itself claimed that the password
was obtained by compromising one of the recipient’s devices using malware.
However frightening this
may seem at first glance, these are just social engineering and scare tactics,
employed by cybercriminals to generate panic in the recipients of these emails.
To put it simply, it is highly unlikely that your computer has either been
accessed or compromised, at least not by the method suggested in the email, so
there is no need to panic.
In fact, a similar campaign has been spotted recently by ESET researchers: it rehashed the content
to reflect the current pandemic situation and includes a threat to infect the
victim’s whole family with coronavirus.
The new extortion campaign
borrows, or rather builds upon, the previous versions. The scammers start with
an alarming message right off the bat to get the victim’s attention, usually by
including one of the victim’s old passwords that was probably stolen as part of
a previous data breach.
Moving on, the fraudsters
claim that the victim’s device was infected by some form of malware when
visiting a porn website, and that allowed them to obtain both the victim’s password
and access to their device. The scammers then purport to have made a video of
the victim and the alleged “not safe for work” content.
Once the cybercriminals
have scared their potential victims enough, they demand a sum to be paid within
24 hours or the embarrassing video will be released. They usually want the
payment to be made in bitcoin.
Read
the complete article on